{ "type": "Domain", "indicator": "zimbra-beta.info", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zimbra-beta.info", "alexa": "http://www.alexa.com/siteinfo/zimbra-beta.info", "indicator": "zimbra-beta.info", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4041185515, "indicator": "zimbra-beta.info", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69f3a95eda9a5492f5d1b6f4", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...", "modified": "2026-05-30T19:00:26.349000", "created": "2026-04-30T19:11:26.525000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 36, "IPv4": 2, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "36 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c066362e3ef75c6173eab4", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "Since at least March 2023, a suspected Chinese threat actor has been targeting government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. The attackers employ a sophisticated backdoor known as Squidoor, which affects both Windows and Linux systems. Squidoor is modular and designed for stealth, utilizing multiple communication protocols\u2014including Outlook API, DNS tunneling, and ICMP tunneling\u2014to establish covert channels with command and control servers. Initial access is typically achieved by exploiting vulnerabilities in Internet Information Services (IIS) servers, followed by the deployment of obfuscated web shells for persistent access.", "modified": "2025-03-29T13:00:48.397000", "created": "2025-02-27T13:18:46.410000", "tags": [ "squidoor", "backdoor", "apt", "espionage" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "Squidoor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Education", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 3, "hostname": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 386448, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f97a64033cedf372cf42a0", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "", "modified": "2026-05-30T19:00:26.349000", "created": "2026-05-05T05:04:36.248000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": "69f3a95eda9a5492f5d1b6f4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 40, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "36 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552045, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "16 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fae85d3be396349f6fe7a2", "name": "China Aligned Cyberespionage Campaign Targets Governments", "description": "Cybersecurity researchers have identified a China-aligned espionage campaign targeting government and defense organizations across South, East, and Southeast Asia, as well as a European NATO member. The activity cluster, tracked as SHADOW-EARTH-053, has been active since at least late 2024 and shows overlaps with previously known threat groups.\n\nResearchers said the attackers primarily exploit known vulnerabilities in internet-facing Microsoft Exchange and IIS servers, including flaws similar to...", "modified": "2026-05-06T07:06:05.988000", "created": "2026-05-06T07:06:05.988000", "tags": [ "initial-access", "persistence", "privilege-escalation", "exfiltration", "T1190", "T1204", "T1215", "medium", "vta", "threat-intelligence" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 4, "FileHash-SHA1": 4, "IPv4": 4, "FileHash-SHA256": 4, "domain": 1, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f8fcb054d52df9fcf32d55", "name": "TI Advisory No-ESAF-SOC-TI-2026-441-443", "description": "", "modified": "2026-05-04T20:08:16.187000", "created": "2026-05-04T20:08:16.187000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "IPv4": 9, "domain": 5, "hostname": 27 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f64f570bb1ed019da8bf00", "name": "China Linked Hackers Targets Multiple Government Sectors", "description": "A China-aligned threat group tracked as SHADOW-EARTH-053 is conducting cyber espionage by exploiting vulnerabilities in internet-facing Microsoft Exchange and IIS servers.", "modified": "2026-05-02T19:24:07.746000", "created": "2026-05-02T19:24:07.746000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "IPv4": 4, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d345231c2eccfcce4d97ce", "name": "Squidoor Backdoor Malware Exploits IIS Servers for Stealthy Attacks", "description": "A highly advanced backdoor malware, dubbed \"Squidoor,\" is being used by suspected Chinese threat actors to target organizations in South America and Southeast Asia. The malware is designed for stealth and persistence, enabling attackers to maintain access to compromised networks while evading detection.", "modified": "2025-04-12T20:04:25.096000", "created": "2025-03-13T20:50:43.530000", "tags": [ "squidoor", "figure", "pastebin", "windows", "c2 server", "windows version", "southeast asia", "south america", "linux", "outlook api", "alliance", "icmp", "impacket", "code", "powershell", "february", "protect", "chinese" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Squidoor", "display_name": "Squidoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Telecommunication", "Education", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 22, "domain": 4, "hostname": 2 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c12f0d27427e63858406d0", "name": "IOC&TTP - Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "\u672c\u6587\u5206\u6790\u4e86\u4e00\u7ec4\u6076\u610f\u6d3b\u52a8\uff0c\u7f16\u53f7\u4e3a CL-STA-0049\u3002\u81ea 2023\u5e743\u6708 \u4ee5\u6765\uff0c\u8be5\u6d3b\u52a8\u7591\u4f3c\u7531\u4e2d\u56fd\u80cc\u666f\u7684\u5a01\u80c1\u884c\u4e3a\u8005\u53d1\u8d77\uff0c\u4e3b\u8981\u9488\u5bf9 \u4e1c\u5357\u4e9a\u548c\u5357\u7f8e\u5730\u533a \u7684\u653f\u5e9c\u3001\u56fd\u9632\u3001\u7535\u4fe1\u3001\u6559\u80b2\u548c\u822a\u7a7a\u9886\u57df\u7684\u7ec4\u7ec7\u3002\u653b\u51fb\u8005\u7684\u4e3b\u8981\u76ee\u6807\u5305\u62ec \u7a83\u53d6\u654f\u611f\u4fe1\u606f\uff0c\u7279\u522b\u662f\u6d89\u53ca\u9ad8\u5c42\u5b98\u5458\u53ca\u76f8\u5173\u4e2a\u4eba\u7684\u6570\u636e\u3002\n\n\u8c03\u67e5\u8fc7\u7a0b\u4e2d\uff0c\u7814\u7a76\u4eba\u5458\u63ed\u793a\u4e86\u8be5\u653b\u51fb\u8005\u7684 \u6218\u672f\u3001\u6280\u672f\u4e0e\u7a0b\u5e8f\uff08TTPs\uff09\uff0c\u5305\u62ec \u653b\u51fb\u6d41\u7a0b\u3001\u901a\u8fc7Web Shell\u8fdb\u884c\u521d\u59cb\u6e17\u900f \u53ca \u9690\u853d\u901a\u4fe1\u6e20\u9053\u3002\u5176\u4e2d\uff0c\u653b\u51fb\u8005\u5229\u7528\u4e86\u4e00\u79cd \u65b0\u578b\u590d\u6742\u7684\u540e\u95e8\u7a0b\u5e8f\u2014\u2014Squidoor\uff08\u53c8\u540dFinalDraft\uff09\uff0c\u9002\u7528\u4e8e Windows \u548c Linux \u5e73\u53f0\u3002\u672c\u7814\u7a76\u9996\u6b21\u63ed\u793a\u4e86 Squidoor \u7684 Windows \u53d8\u79cd\uff0c\u5e76\u6df1\u5165\u5206\u6790\u4e86\u5176 \u6307\u6325\u4e0e\u63a7\u5236\uff08C2\uff09\u901a\u4fe1\u673a\u5236\u3002\n\nSquidoor \u5177\u5907\u4ee5\u4e0b\u7279\u6027\uff1a\n\n\u91c7\u7528 \u6a21\u5757\u5316\u8bbe\u8ba1\uff0c\u652f\u6301\u591a\u79cd\u9690\u853d\u901a\u4fe1\u65b9\u5f0f\uff0c\u5305\u62ec\uff1a\nOutlook API\nDNS \u96a7\u9053\nICMP \u96a7\u9053\n\u5177\u5907 \u4fe1\u606f\u6536\u96c6\u3001\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u3001\u8fdb\u7a0b\u6ce8\u5165 \u548c \u6a2a\u5411\u79fb\u52a8 \u7b49\u529f\u80fd\u3002\n\u901a\u8fc7 Microsoft Console Debugger (cdb.exe) \u8fdb\u884c \u4ee3\u7801\u6ce8\u5165\uff0c\u4ee5\u89c4\u907f\u68c0\u6d4b\u3002\n\u5229\u7528 Web Shell \u8fdb\u884c \u521d\u59cb\u8bbf\u95ee\uff0c\u5e76\u90e8\u7f72\u591a\u4e2a\u53d8\u79cd\uff0c\u5982\uff1a\nOutlookDC.aspx\nError.aspx\nTimeoutAPI.aspx\n\u901a\u8fc7 Pastebin \u5b58\u50a8\u548c\u7ba1\u7406\u6076\u610f\u7ec4\u4ef6\u53ca API \u8bbf\u95ee\u4ee4\u724c\u3002\n\u7814\u7a76\u8868\u660e\uff0c\u653b\u51fb\u8005 \u4e3b\u8981\u5229\u7528 IIS \u670d\u52a1\u5668\u6f0f\u6d1e \u8fdb\u884c\u5165\u4fb5\uff0c\u5e76\u4f7f\u7528\u591a\u79cd\u6280\u672f \u5728\u53d7\u5bb3\u7f51\u7edc\u5185\u90e8\u6269\u5c55\u63a7\u5236\u6743\uff0c\u4ee5\u589e\u5f3a \u6301\u4e45\u6027\u548c\u9690\u533f\u6027\u3002Squidoor \u5177\u5907 10\u79cdWindows C2\u901a\u4fe1\u65b9\u6cd5 \u548c 9\u79cdLinux C2\u901a\u4fe1\u65b9\u6cd5\uff0c\u80fd\u591f\u9002\u5e94\u4e0d\u540c\u653b\u51fb\u573a\u666f\u5e76\u964d\u4f4e\u88ab\u53d1\u73b0\u7684\u98ce\u9669\u3002", "modified": "2025-03-29T13:00:48.397000", "created": "2025-02-28T03:35:41.599000", "tags": [ "squidoor", "backdoor", "apt", "espionage" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "Squidoor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Education", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "67c066362e3ef75c6173eab4", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 3, "hostname": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c14eb2274e6f1a616cfb88", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "", "modified": "2025-03-29T13:00:48.397000", "created": "2025-02-28T05:50:42.508000", "tags": [ "squidoor", "backdoor", "apt", "espionage" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "Squidoor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Education", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "67c066362e3ef75c6173eab4", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 3, "hostname": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c059a1bd914ff0f240ce76", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "A suspected Chinese threat actor has targeted governments, telecommunication and aviation sectors in Southeast Asia and South America, according to research carried out by Palo Alto Networks and the International Institute of Strategic Studies (IISS).", "modified": "2025-03-29T12:02:30.930000", "created": "2025-02-27T12:25:04.346000", "tags": [ "squidoor", "figure", "pastebin", "windows", "c2 server", "windows version", "southeast asia", "south america", "linux", "outlook api", "alliance", "icmp", "impacket", "code", "powershell", "february", "protect", "chinese" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Squidoor", "display_name": "Squidoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Telecommunication", "Education", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 4, "hostname": 2 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c049bf63a59cb4293d9b1d", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "A suspected Chinese threat actor has targeted governments, telecommunication and aviation sectors in Southeast Asia and South America, according to research carried out by Palo Alto Networks and the International Institute of Strategic Studies (IISS).", "modified": "2025-03-29T11:00:07.077000", "created": "2025-02-27T11:17:19.641000", "tags": [ "squidoor", "figure", "pastebin", "windows", "c2 server", "windows version", "southeast asia", "south america", "linux", "outlook api", "alliance", "icmp", "impacket", "code", "powershell", "february", "protect", "chinese" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Squidoor", "display_name": "Squidoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Telecommunication", "Education", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Aaryanaggarwal", "id": "289580", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 4, "hostname": 2 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "IOCs-May1.csv", "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/", "https://threatfox.abuse.ch/export/csv/recent/", "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "related": { "alienvault": { "adversary": [ "Squidoor", "SHADOW-EARTH-053" ], "malware_families": [ "Noodlerat", "Godzilla", "Ringq", "Poisonplug.shadow", "Vshell", "Iox", "Shadowpad - s0596" ], "industries": [ "Aerospace", "Government", "Education", "Defense", "Transportation", "Technology" ] }, "other": { "adversary": [ "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "Squidoor", "SHADOW-EARTH-053" ], "malware_families": [ "Noodlerat", "Godzilla", "Ringq", "Poisonplug.shadow", "Vshell", "Windows", "Iox", "Chinese", "Shadowpad - s0596", "Squidoor" ], "industries": [ "Aerospace", "Government", "Education", "Defense", "Aviation", "Transportation", "Technology", "Telecommunication" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69f3a95eda9a5492f5d1b6f4", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...", "modified": "2026-05-30T19:00:26.349000", "created": "2026-04-30T19:11:26.525000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 36, "IPv4": 2, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "36 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c066362e3ef75c6173eab4", "name": "Squidoor: Suspected Chinese Threat Actor\u2019s Backdoor Targets Global Organizations", "description": "Since at least March 2023, a suspected Chinese threat actor has been targeting government, defense, telecommunications, education, and aviation sectors in Southeast Asia and South America. The attackers employ a sophisticated backdoor known as Squidoor, which affects both Windows and Linux systems. Squidoor is modular and designed for stealth, utilizing multiple communication protocols\u2014including Outlook API, DNS tunneling, and ICMP tunneling\u2014to establish covert channels with command and control servers. Initial access is typically achieved by exploiting vulnerabilities in Internet Information Services (IIS) servers, followed by the deployment of obfuscated web shells for persistent access.", "modified": "2025-03-29T13:00:48.397000", "created": "2025-02-27T13:18:46.410000", "tags": [ "squidoor", "backdoor", "apt", "espionage" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "Squidoor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Education", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "domain": 3, "hostname": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 386448, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f97a64033cedf372cf42a0", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "", "modified": "2026-05-30T19:00:26.349000", "created": "2026-05-05T05:04:36.248000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": "69f3a95eda9a5492f5d1b6f4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 40, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "36 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552045, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "16 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fae85d3be396349f6fe7a2", "name": "China Aligned Cyberespionage Campaign Targets Governments", "description": "Cybersecurity researchers have identified a China-aligned espionage campaign targeting government and defense organizations across South, East, and Southeast Asia, as well as a European NATO member. The activity cluster, tracked as SHADOW-EARTH-053, has been active since at least late 2024 and shows overlaps with previously known threat groups.\n\nResearchers said the attackers primarily exploit known vulnerabilities in internet-facing Microsoft Exchange and IIS servers, including flaws similar to...", "modified": "2026-05-06T07:06:05.988000", "created": "2026-05-06T07:06:05.988000", "tags": [ "initial-access", "persistence", "privilege-escalation", "exfiltration", "T1190", "T1204", "T1215", "medium", "vta", "threat-intelligence" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 4, "FileHash-SHA1": 4, "IPv4": 4, "FileHash-SHA256": 4, "domain": 1, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f8fcb054d52df9fcf32d55", "name": "TI Advisory No-ESAF-SOC-TI-2026-441-443", "description": "", "modified": "2026-05-04T20:08:16.187000", "created": "2026-05-04T20:08:16.187000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "IPv4": 9, "domain": 5, "hostname": 27 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f64f570bb1ed019da8bf00", "name": "China Linked Hackers Targets Multiple Government Sectors", "description": "A China-aligned threat group tracked as SHADOW-EARTH-053 is conducting cyber espionage by exploiting vulnerabilities in internet-facing Microsoft Exchange and IIS servers.", "modified": "2026-05-02T19:24:07.746000", "created": "2026-05-02T19:24:07.746000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "IPv4": 4, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d345231c2eccfcce4d97ce", "name": "Squidoor Backdoor Malware Exploits IIS Servers for Stealthy Attacks", "description": "A highly advanced backdoor malware, dubbed \"Squidoor,\" is being used by suspected Chinese threat actors to target organizations in South America and Southeast Asia. The malware is designed for stealth and persistence, enabling attackers to maintain access to compromised networks while evading detection.", "modified": "2025-04-12T20:04:25.096000", "created": "2025-03-13T20:50:43.530000", "tags": [ "squidoor", "figure", "pastebin", "windows", "c2 server", "windows version", "southeast asia", "south america", "linux", "outlook api", "alliance", "icmp", "impacket", "code", "powershell", "february", "protect", "chinese" ], "references": [ "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chinese", "display_name": "Chinese", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Squidoor", "display_name": "Squidoor", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Defense", "Telecommunication", "Education", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 22, "domain": 4, "hostname": 2 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zimbra-beta.info", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zimbra-beta.info", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780169837.7948923 }